FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorytrade secretsIPconfidentialityM&A diligence

M&A Due Diligence Should Now Include an AI Tool Audit

By Basel IsmailMay 21, 2026

M&A Due Diligence Should Now Include an AI Tool Audit

Somewhere right now, a deal team is running diligence on a target company and completely ignoring the fact that 40% of the target's employees are pasting proprietary data into consumer AI tools. That liability is real, it is quantifiable, and it is going to start showing up in purchase price adjustments. If it hasn't already.

AI tool usage inside a company creates a specific, underexamined category of risk that touches trade secret protection, data privacy compliance, contractual obligations, and IP ownership. Acquirers who skip this are buying problems they could have priced or walked away from.

Why This Matters for Trade Secrets Specifically

Trade secret protection under the Defend Trade Secrets Act (DTSA, 18 U.S.C. 1836) and its state equivalents (most states have adopted some version of the Uniform Trade Secrets Act) requires that the holder take "reasonable measures" to keep the information secret. That requirement is not aspirational. Courts enforce it, and they look at actual practices, not just policies on paper.

When employees input proprietary formulas, customer lists, source code, pricing models, or strategic plans into third-party AI tools, the company may be destroying the trade secret status of that information. OpenAI's terms of service for ChatGPT's free and Plus tiers, for example, historically allowed the use of inputs for model training unless users opted out. Anthropic, Google, and others have their own data use policies, and they change frequently. The question for diligence is straightforward: did the target's employees feed protected information into tools that may have used it for training, and if so, has the information lost its protected status?

Samsung learned this the hard way in early 2023 when engineers pasted proprietary semiconductor source code into ChatGPT on at least three separate occasions. Samsung responded by banning the tool internally, but the damage to the confidentiality of that code was already done. An acquirer looking at a company with similar exposure would need to assess whether key IP assets still qualify for trade secret protection at all.

What Acquirers Should Be Asking

The AI tool audit in diligence should be structured and specific. Here is what a reasonable request list looks like:

Inventory of AI tools in use. Not just sanctioned tools. Shadow IT matters more here. A 2024 survey by Salesforce found that more than half of generative AI users at work were using unapproved tools. You need to understand what employees are actually using, not what IT approved.
Data flow mapping for each tool. What data categories have been input? Are inputs stored, logged, or used for training by the vendor? What are the contractual terms governing data retention and use?
Policy documentation and enforcement. Does the target have an acceptable use policy for AI tools? When was it adopted? Is there evidence of enforcement, or is it shelf-ware?
Incident history. Has there been any known instance of sensitive data being input into a consumer AI tool? How was it handled?
Contractual exposure. Do the target's customer contracts, vendor agreements, or NDAs contain provisions that would be breached by AI tool data sharing? Many enterprise contracts include clauses prohibiting disclosure of confidential information to third parties, and AI vendors are third parties.
IP ownership questions. Has the target used AI tools to generate code, content, or other deliverables that it represents as proprietary? The U.S. Copyright Office's February 2023 guidance on AI-generated content (and the Thaler v. Perlmutter decision from August 2023) make clear that purely AI-generated works are not copyrightable. If key product components were AI-generated, the target's IP portfolio may be weaker than represented.
Regulatory compliance. For targets in healthcare (HIPAA), financial services (GLBA, SOX), defense (CMMC, ITAR), or education (FERPA), has AI tool usage created compliance violations? Inputting PHI into a non-BAA-covered AI tool is a HIPAA breach, full stop.

Pricing the Remediation

This is where it gets interesting from a deal mechanics perspective. AI tool misuse creates remediation costs that are real but often not captured in traditional diligence frameworks.

Consider a target in financial services where employees have been using a consumer AI chatbot to draft client communications and summarize account data. The remediation might include:

Breach notification costs. If personal financial data was shared with a non-compliant third party, notification obligations under GLBA's Safeguards Rule or state breach notification statutes may be triggered. The average cost of a data breach in financial services was $6.08 million in 2024, according to IBM's Cost of a Data Breach Report.
Regulatory penalties. Depending on the regulator and the data involved, fines can be significant. OCR has settled HIPAA cases for AI-adjacent data sharing issues, and state attorneys general are increasingly active.
Contract remediation. If customer NDAs or data processing agreements were violated, the target may face claims, termination rights, or indemnification obligations from its own customers.
Trade secret re-evaluation. If key trade secrets have been compromised, the valuation of the target's IP portfolio needs adjustment. This can be substantial when the deal thesis depends on proprietary technology or processes.
Policy and infrastructure buildout. Deploying enterprise AI governance, including approved tool provisioning, DLP controls, monitoring, and training, typically runs $200K to $1M+ depending on company size and complexity.

These costs should be reflected in the purchase price, held in escrow, or addressed through specific indemnification provisions in the acquisition agreement. A well-drafted AI representations and warranties section is becoming as important as the standard IP reps.

Reps and Warranties Considerations

Standard IP representations in acquisition agreements typically cover ownership, non-infringement, and the absence of known claims. They need to be expanded. Acquirers should require specific representations regarding AI tool usage, including confirmation that reasonable measures were maintained to protect trade secrets (with "reasonable measures" defined to include AI tool governance), that no material proprietary information was shared with AI vendors outside of enterprise agreements with appropriate data protections, and that AI-generated outputs have been identified and are not misrepresented as original works for IP purposes.

Reps and warranties insurance carriers are starting to pay attention to this as well. Underwriters are asking about AI governance in their diligence questionnaires, and gaps here could affect coverage terms or pricing.

The Broader Pattern

AI tool audits in M&A diligence are part of a larger shift. Five years ago, cybersecurity diligence was an afterthought; now it is standard after deals like Verizon's acquisition of Yahoo, where two massive data breaches led to a $350 million reduction in the purchase price. AI governance is on the same trajectory. The companies that get ahead of this will be better positioned both as acquirers and as acquisition targets.

The practical challenge is that most companies, especially mid-market targets, have limited visibility into their own AI tool usage. They may have a policy, but they rarely have monitoring or enforcement infrastructure. That gap between policy and practice is exactly where diligence risk lives.

How FirmAdapt Addresses This

FirmAdapt's architecture is designed so that proprietary data never leaves the compliance boundary in the first place. When employees use AI capabilities through FirmAdapt, inputs are processed within a controlled environment with data handling policies enforced at the platform level, not dependent on individual employee behavior or third-party vendor terms that can change without notice. This means companies running on FirmAdapt can demonstrate, with audit logs, that trade secret material was not exposed to external model training pipelines.

For acquirers, a target running FirmAdapt presents a cleaner diligence profile on AI governance. For companies anticipating a future exit or capital raise, adopting a compliance-first AI platform now reduces the remediation costs and reps-and-warranties exposure that will inevitably come up in diligence. FirmAdapt provides the documentation and architectural controls that make those conversations straightforward rather than adversarial.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free